skorov/ridrelay
Fork: 58 Star: 391 (更新于 2024-11-22 05:55:43)
license: GPL-3.0
Language: Python .
Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
最后发布版本: v1.1 ( 2020-05-20 11:35:32)
RidRelay
Quick and easy way to get domain usernames while on an internal network.
Hit me up: @skorov8
How it works
RidRelay combines the NTLM Relay attack, common lsarpc based queries and RID cycling to get a list of domain usernames. It takes these steps:
- Spins up an SMB and HTTP servers and waits for an incoming connection
- The incoming credentials are relayed to a specified target, creating a connection with the context of the relayed user
- Queries are made down the SMB connection to the lsarpc pipe to get the list of domain usernames. This is done by cycling up to 50000 RIDs
- The password policy is extracted through the samr pipe
(For best results, use with Responder)
Dependencies
- Python 3.6
- Impacket v0.9.20-dev or above
Installation
pipenv install
pipenv shell
# Optional: Run if installing impacket
git submodule update --init --recursive
cd submodules/impacket
pip install .
cd ../..
Usage
First, find a target host to relay to. The target must be a member of the domain and MUST have SMB Signing off. CrackMapExec can get this info for you very quick!
Start RidRelay pointing to the target:
python ridrelay.py -t 10.0.0.50
OR
Also output usernames to file
python ridrelay.py -t 10.0.0.50 -o path_to_output.txt
Highly Recommended: Start Responder to trick users to connecting to RidRelay
Shout out
Mad props go to:
- Ronnie Flathers (@ropnop) - Original idea on low priv smb relaying
TODO:
- Add password policy enumeration - DONE
-
Dynamic relaying based on where incoming creds have admin rights -
Getting active sessions??? -
Connect with Bloodhound??? - Decided to keep this tool simple. Above functionality will come in a new tool at some stage
最近版本更新:(数据更新于 2024-09-03 03:34:13)
2020-05-20 11:35:32 v1.1
主题(topics):
activedirectory, impacket, pentesting, python
skorov/ridrelay同语言 Python最近更新仓库
2024-11-22 02:39:01 goauthentik/authentik
2024-11-22 00:03:47 comfyanonymous/ComfyUI
2024-11-21 22:06:18 rashevskyv/dbi
2024-11-21 21:09:02 xtekky/gpt4free
2024-11-21 20:03:58 ultralytics/ultralytics
2024-11-21 00:54:04 hect0x7/JMComic-Crawler-Python